🔄 synced file(s) with dealroom/core-mothership (#220)

Co-authored-by: dealroomba-app[bot] <189869926+dealroomba-app[bot]@users.noreply.github.com>

.github/workflows/autolabel.yml

@@ -21,9 +21,16 @@ jobs:
       contents: write
       pull-requests: write
       repository-projects: write
-    env:
-      GH_TOKEN: ${{ secrets.GH_TOKEN_DEALROOMBA }}
     steps:
+      - name: Get App Token
+        id: get_workflow_token
+        uses: peter-murray/workflow-application-token-action@8e4e6fbf6fcc8a272781d97597969d21b3812974 # v4.0.0
+        with:
+          organization: dealroom
+          application_id: ${{ secrets.DEALROOMBA_APP_ID }}
+          application_private_key: ${{ secrets.DEALROOMBA_APP_PRIVATE_KEY }}
+          permissions: "metadata:read,pull_requests:write"
+          revoke_token: true
       - name: Dependabot metadata
         id: dependabot-metadata
         uses: dependabot/fetch-metadata@dbb049abf0d677abbd7f7eee0375145b417fdd34 # v2.2.0
@@ -33,23 +40,27 @@ jobs:
           gh pr edit "$PR_URL" --add-label "update-major"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
       - name: Add a label for a minor update
         id: dependabot-label-minor
         if: steps.dependabot-metadata.outputs.update-type == 'version-update:semver-minor'
         run: |
           gh pr edit "$PR_URL" --add-label "update-minor"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
       - name: Add a label for a patch update
         id: dependabot-label-patch
         if: steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch'
         run: |
           gh pr edit "$PR_URL" --add-label "update-patch"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}
       - name: Add a label force-lint for a super-linter upgrades
         if: contains(steps.dependabot-metadata.outputs.dependency-names, 'super-linter')
         run: |
           gh pr edit "$PR_URL" --add-label "force-lint"
         env:
           PR_URL: ${{ github.event.pull_request.html_url }}
+          GH_TOKEN: ${{ steps.get_workflow_token.outputs.token }}

.github/workflows/lint.yml

@@ -65,6 +65,15 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+      - name: Get App Token
+        id: get_workflow_token
+        uses: peter-murray/workflow-application-token-action@8e4e6fbf6fcc8a272781d97597969d21b3812974 # v4.0.0
+        with:
+          organization: dealroom
+          application_id: ${{ secrets.DEALROOMBA_APP_ID }}
+          application_private_key: ${{ secrets.DEALROOMBA_APP_PRIVATE_KEY }}
+          permissions: "metadata:read,packages:read,contents:read"
+          revoke_token: true
       - name: Ensure SHA pinned actions
         uses: zgosalvez/github-actions-ensure-sha-pinned-actions@5d6ac37a4cef8b8df67f482a8e384987766f0213 # v3.0.17
       - name: Check that "do-not-merge" label is not present
@@ -84,15 +93,15 @@ jobs:
         uses: ./.github/actions/setup
         if: steps.check_files.outputs.files_exists == 'true'
         with:
-          github-token: ${{ secrets.GH_TOKEN_DEALROOMBA }}
+          github-token: ${{ steps.get_workflow_token.outputs.token }}
           extensions: ${{ vars.EXTENSIONS || 'none' }}
       - name: Lint Codebase
         uses: super-linter/super-linter/slim@e1cb86b6e8d119f789513668b4b30bf17fe1efe4 # v7.2.0
         # For a full list of environment variables see `.github/super-linter.env`
         env:
           GITHUB_TOKEN: ${{ github.token }}
           # Required for checkov pulling external modules from private repositories
-          GITHUB_PAT: ${{ secrets.GH_TOKEN_DEALROOMBA }}
+          GITHUB_PAT: ${{ steps.get_workflow_token.outputs.token }}
           VALIDATE_ALL_CODEBASE: ${{ vars.LINT_VALIDATE_ALL_CODEBASE || 'true' }}
           VALIDATE_PHP_PHPSTAN: ${{ vars.LINT_VALIDATE_PHPSTAN || null }}
 
@@ -106,11 +115,20 @@ jobs:
       # To write Super-linter status checks
       statuses: write
     steps:
+      - name: Get App Token
+        id: get_workflow_token
+        uses: peter-murray/workflow-application-token-action@8e4e6fbf6fcc8a272781d97597969d21b3812974 # v4.0.0
+        with:
+          organization: dealroom
+          application_id: ${{ secrets.DEALROOMBA_APP_ID }}
+          application_private_key: ${{ secrets.DEALROOMBA_APP_PRIVATE_KEY }}
+          permissions: "metadata:read,contents:write,workflows:write"
+          revoke_token: true
       - name: Checkout Repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
-          token: ${{ secrets.GH_TOKEN_DEALROOMBA }}
+          token: ${{ steps.get_workflow_token.outputs.token }}
       - name: Check if a setup action exists
         id: check_files
         uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0
@@ -122,7 +140,7 @@ jobs:
         uses: ./.github/actions/setup
         if: steps.check_files.outputs.files_exists == 'true'
         with:
-          github-token: ${{ secrets.GH_TOKEN_DEALROOMBA }}
+          github-token: ${{ steps.get_workflow_token.outputs.token }}
           extensions: ${{ vars.EXTENSIONS || 'none' }}
       - name: Add ignores to .prettierignore file
         run: |
@@ -174,7 +192,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
           # Required for checkov pulling external modules from private repositories
-          GITHUB_PAT: ${{ secrets.GH_TOKEN_DEALROOMBA }}
+          GITHUB_PAT: ${{ steps.get_workflow_token.outputs.token }}
           VALIDATE_ALL_CODEBASE: ${{ vars.LINT_VALIDATE_ALL_CODEBASE || 'true' }}
           VALIDATE_PHP_PHPSTAN: ${{ vars.LINT_VALIDATE_PHPSTAN || null }}
           # Do not write summary as we do not need it here